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(54) Layer-independent security for communication channels 



(57) A method and apparatus for providing layer-in- 
dependent secure network communication is provided 
According to an embodiment of the invention, a trans- 
mission medium is provided between a first network 
node and a second network node. Both the first network 
node and the second network node support at least one 
common communication protocol. A Java output stream 
is established between a first process executing on the 



first network node and the transmission medium. Also, 
a Java input stream is established between a second 
process executing on the second multilayered node and 
the transmission medium. Data to be transmitted from 
the first process to the second process is encrypted by 
the first process and written to the Java output stream. 
The data is transmitted to the second network node. 
Then the data is read from the Java input stream by the 
second process and decrypted. 
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Description 

FIELD OF THE INVENTION 

The invention relates to data security, and more 
specifically, to a method and apparatus tor providing lay- 
er-independent security in network communications. 

BACKGROUND OF THE INVENTION 

Some communication networks, particularly complex 
ones, support multiple communication protocols or "lay- 
ers." Each layer specifies some functionality or " sea'ice" 
of the network and interacts with the layers immediately 
above and below, using services of the layer immediately 
below, while providing services to the layer immediately 
above. The lowest layer in a communication network typ- 
ically governs direct communication between the hard- 
ware at different network nodes, while the highest layer 
handles direct communication with appticalion programs 
executing on the network nodes. 

The layered approach to implementing communica- 
tion networks simplifies the creation and modification of 
complex communication architectures by providing for 
incremental changes on a laycr-by-laycr basis which 
are transparent to other layers in the architecture. Two 
examples of layered communication protocols are the 
Transmission Control Protocol/Internet Protocol (TCP/ 
IP), which has five layers, and the International Stand- 
ards Organization's (ISO) Open Systems Interconnec- 
tion (OSI) Reference Model (RM), which has seven lay- 
ers. 

The proliferation of communication networks and 
increased frequency of security breaches has under- 
scored the importance of providing secure network com- 
munications. Many communication networks depend 
upon a secure communication connection or " channel" 
to maintain security. In the context of secure communi- 
cation networks, a secure communication channel is a 
connection which provides for the encryption, authenti- 
cation or otherwise secure transmission of data be- 
tween network nodes. 

Sometimes, setup negotiation is used to establish 
security tor a communication channel In the context of 
network communications, setup negotiation refers to 
specifying and agreeing to the details about security for 
a communication channel, such as the details of a par- 
ticular encryption scheme to be used Once setup ne- 
gotiation is complete, all communication during the ses- 
sion conforms to the agreed upon security protocol, 
which provides secure communication 

Setup negotiation is an effective tool for providing 
secure communication during a communication ses- 
sion. However, when the amount of information included 
in each session is small, lor example when a session 
contains only a single message, then the overhead at- 
tributable to setup negotiation can adversely affect com- 
munication performance Moreover, some communica- 



tion architectures do not include a session layer which 
requires that a session layer be added to support ses- 
sion type security, further degrading performance. 
Another approach for providing a secure communi- 
5 cation channel involves encrypting or encooing data at 
a specific layer on a transmitting network node and then 
decryptmgor decoding the data at a corresponding layer 
on a destination network node. Encrypting data at a spe- 
cific layer typically involves applying an encryption algo- 

io rithm based upon the format of data at a particular layer 
Header data added by higher layers is also encrypted 
Layer-specific encryption is particularly useful in data- 
gram-based or packet-based networks which are typi- 
cally sessionless and encapsulate data in datagram 

is packets or some other type of data packet. For example, 
header data may be added to a data packet so that the 
data packet conforms to a particular format. This ap- 
proach also provides for multiple encryptions to be per- 
formed at different layers. 

20 Although layer-specific encryption can provide a se- 
cure communication channel while avoiding the ovei- 
head penalty associated with setup negotiation, it does 
have several limitations. First, all encryption and decryp- 
tion must occur at the same corresponding layer on both 

2B the transmitting and receiving network nodes, according 
to the specific protocol supported by that layer. For ex- 
ample, Simple Key Management for Internet Protocols 
(SKIP) is designed to be used with internet protocol 
packets at the network layer, which requires internet tay- 

30 er specific function calls On the other hand, Netscape 
Communicattons Corporation's Secure Sockets Layer 
(SSL) is designed to be used at the (Unix) socket layer 
and requires socket layer-specific function calls to en- 
crypt and decrypt data. The result is that one application 

35 implementing security according to SKIP cannot interact 
with another application implementing security accord- 
ing to SSL. 

In addition, layer-specific encryption can be difficult 
to employ in object-oriented environments because of 
-to the inherent level of abstraction required. For example, 
some layers operate on data bytes, which often is a 
much lower level than objects in an object oriented en- 
vironment. 

In view oi both the need to provide secure commu- 
■*$ nication channels and the limitations in the prior ap- 
proaches, an approach for providing a secure commu- 
nication channel which does not rely upon layer-specific 
enciyplion and which does not require setup negotiation 
is highly desirable. 

so 

SUMMARY OF THE INVENTION 

According to one aspect of the invention, a method 
provides communication protocol-independent security 
55 for oata transmitted between a first process, executing 
on a first network node, and a second process, execut- 
ing on a second network node Both the first network 
node and the second network node each support at 
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least one common communication protocol According 
to the method, a communication channel is established 
between the first network node and the second network 
node. Then, a first stream is established between the 
first process and the communication channel. 

In the context of the invention, a " stream" is an ab- 
straction which refers to the transfer or " flow* of data, 
in any format, from a single source, to a single destina- 
tion. A stream typically flows through a channel or con- 
nection between the sender and receiver, in contrast to 
data packets, which are typically individually addressed 
and which may be routed independently to multiple re- 
cipients. Hence, an application can write data to, or read 
data from, a stream without knowing the actual destina- 
tion or source, respectively, of the data. 

After the first stream is established between the first 
process and the communication channel, a second 
stream is established between the second process and 
the communication channel. Data to be transmitted be- 
tween ihe first and second processes is encrypted. The 
encryption of the data is independent of the communi- 
cation protocol supported by the first network node. The 
encrypted data is then written to the first stream which 
causes the encrypted data to be transmitted from the 
first network node to the second network node. The en- 
crypted data is read from the second stream and then 
decrypted to obtain decrypted data which is identical to 
the data on the first network node before the data was 
encrypted 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is illustrated by way of example, and 
not by way of limitation, in the figures of the accompa- 
nying drawings and in which like reference numerals re- 
fer to similar elements and in which: 

Figure 1 is a block diagram of a multi-layered com- 
munication network according to an embodiment of 
the invention 

Figure 2 is a block diagram of a multi-layered com- 
munication network according to another embodi- 
ment ol the invention: 

Figure 3 illustrates a stream formal according to an 
embodiment ol the invention: 
Figure 4 is a flow chart illustrating a method tor pro- 
viding layer-independent secure communication in 
a mulli-layeied communication network accoiding 
to an embodiment of the invention 
Figure 5 is a block diagram o1 a Java secure chan- 
nel arrangement according to an embodiment of the 
invention: and 

Figure 6 is a block diagram of a computer system 
on which the invention may be implemented. 



DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

A method and apparatus tor providing layer-mde- 
£ pendent secure communications in a multi-layered com* 
municalion network ts described. In the following de- 
scription, for the purposes of explanation, numerous 
specific details are set forth in order to provide a thor- 
ough understanding ol the invention. However, the in- 
w vention may be practiced without these specific details. 
In other instances, well-known structures and devices 
are illustrated in block diagram form in order to avoid 
unnecessarily obscuring the invention. 

>5 FUNCTIONAL OVERVIEW 

The invention provides a method and apparatus tor 
providing layer-independent secure communications in 
a multi-layered communication network. In general, a 

20 communication channel or connection is lirsl estab- 
lished between a first multi-layeied network node and a 
second multi-layered network node. Then, a first stream 
is established between a first process, executing on the 
first multi-layered network node, and the communication 

2£ channel. A second stream is then established between 
a second process, executing on the second multi-lay- 
ered network node and the communication channel. 
Then, the first process performs a layer-independent 
encryption of data to be transmitted between the first 

30 and second multi-layered network nodes and then 
writes the encrypted data to the first stream, which caus- 
es the encrypted data to be transmitted to the second 
multi-layered network node. Then, the encrypted data 
is read by the second process from the second stream 

35 and decrypted so that the decrypted data is identical to 
the data on the first multi-layered network node prior to 
being encrypted 

Figure 1 illustrates a multi-layered communication 
network 100 to which the invention is applicable. In gen- 

-to eral. multi-layered communication network 1 00 includes 
multi-layered nodes 102. 104. communicatively coupled 
by transmission medium 106. Although multi-layered 
communication network 100 may resemble the Interna- 
tional Standards Organization (ISO) Open Systems In- 
terconnection (OSI) Relerence Model (RM), the inven- 
tion is applicable to any multi-layered communication 
network. 

A process 108 executes on multi-layered node 102 
while a process 110 executes on multi-layered node 

so i04. Multi-layered node 102 supports a multi-layered 
communication hierarchy 112, where each identified 
layer supports a particular communication protocol. 
Each layer in hierarchy 112 offers certain services to the 
higher layers while shielding the higher layers from the 

ss details of how those services are actually implemented. 
Multi-layered node 104 also supports a multi-layered 
communication hierarchy 114, which includes layer cor- 
responding to the layers in hierarchy 112. All data trans- 
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mitted from process 108 lo transmission medium 106 
conforms to alt communication protocols supported by 
hierarchy 112. 

For example, to transmit data 116 Irom process 106 
to transmission medium 106, data 116 must first con- 
lorm to an application protocol specified by application 
layer 113 on multi-layered node 102. According to one 
embodiment of the invention, this requires that data 116 
be lormatted according to application layer 118 protocol 
and that an application protocol header AH be append- 
ed to the front end of data 11 6 which specifies the formal 
of data 116. 

This process is repeated tor each layer in hierarchy 
112. According to one embodiment of the invention, the 
formatting of data 116 according lo a data link layer 1 20 
involves ihe addition of both a header portion DH and a 
trailer portion DT to a data portion 122. It should be not- 
ed that data link layer 1 20 is not aware of which portion 
of data ponion 122 corresponds to data 116 and which 
porlion represents formatling information of higher lay- 
ers. Data link layer 120 formats the entire data portion 
122 without regard to which portion may be "real" data 
116 and which portion is formatting information added 
by higher layers in hierarchy 112. 

When messages arc received by multi-layered 
node 104 from transmission medium 106, a reverse 
process occurs. Since messages must conform to ap- 
plication layer protocol before being processed by proc- 
ess 110, any formatting information attributable to layers 
below application layer 128 must be removed. 

As previously discussed, one approach for provid- 
ing secure communication between process 108 and 
process 1 1 0 is to have processes 1 08, 1 1 0 perlorm set- 
up negotiation prior to transmitting data. However, this 
approach can adversely affect data throughput, partic- 
ularly when the setup negotiation is performed on a 
packet-by-packet basis. 

Another previously discussed approach is to en- 
crypt the data at one of the layers in hierarchy 112 on 
multi-layered node 102 before transmitting the data on 
transmission medium 1 06. Then, after the encrypted da- 
ta is received on node 104, the data is decrypted at the 
corresponding layer in hierarchy 114 on multi-layered 
node 104 before the data is received by process 110. 
For example, data may be encrypted at the network lay- 
er 1 24 on multi-layered node 1 02 and then decrypted at 
network layer 1 26 on multi-layered node 1 04 on a pack- 
el-by-packel basis. Although this approach is robust 
from a security standpoint, the data must be decrypted 
at the same layer at which the data was encrypted 

LAYER-INDEPENDENT SECURITY 

An approach which provides layer-independent se- 
cure network communication in a multi-layered commu- 
nication network according to an embodiment of the in- 
vention is illustrated by the block diagram of Figure 2 A 
multi-layered communication network 200 includes mul- 



ti-layered nodes 202, 204 which are communicatively 
coupled by a transmission medium 206. A process 206 
executes on multi-layered node 202 while a process 210 
executes on multi-layered node 204. 
5 Multi-layered nodes 202. 204 each support one or 
more communication layers (protocols) including socket 
layers 21 2. 214, respectively. Socket layers 212. 214 
provide an interlace between processes 208, 210, re- 
spectively, and transmission medium 206. Multi-layered 
io nodes 202, 204 may support addition layers (not illus- 
trated) both above and below socket layers 212, 214 
Accordingly, socket layers 212, 214 each include sock- 
ets (not illustrated), which are end points similar to an 
OSl Transport Service Access Point (TSAP), and which 
is provide a connection between layers above and below 
socket layers 21 2, 214 In addition, a Java secure chan- 
nel 216 is provided between node 202 and node 204. 
Java security channel 21 6 provides for the layer-inde- 
pendent encryption of high level data constructs such 
20 as objects. 

Geneially, according to an embodiment of the in- 
vention, layer-independent security for communications 
between process 208 and process 210 is provided by 
process 208 encrypting data which is then written to a 
25 Java output stream 218. A Java stream is a stream 
which provides tor the transfer of low level data con- 
structs, such as bytes as well as high level data con- 
structs, such as serialized objects, between a source 
and a destination The data is then conformed to a sock- 
30 et layer protocol by socket layer 212 and written to trans- 
mission medium 206. The data is then processed ac- 
cording to socket layer protocol by socket layer 214 and 
read Irom a Java input stream 220 by process 210 and 
finally decrypted by process 210. 
35 Encryption of stream data according to embodi- 
ments of the invention is by definition layer-independent 
and provides a level of abstractness which is compatible 
with many abstract processes and languages which 
support streams, such as object oriented languages 
Besides the layer-independent data encryption per- 
formed by process 208, additional (layer-dependent) 
encryption may be provided at any layer in node 202. 
with decryption being performed at the corresponding 
peer layer in node 204. 
-ts The data format ot object output stream 218 and 
object input stream 220 is illustrated in Figure 3. Gen- 
erally, stream format 300 is an abstract message format 
which is self-contained and layer-independenl. Stream 
format 300 includes 1 to N variable length messages 
so (Ml, M2... Mn). Each message (M1, M2... Mn) includes 
a header portion (HI, H2...Hn) and a data porlion 
(DATA1, DATA2...DATAn). According to one embodi- 
ment of the invention, each header portion (HI, H2... 
Hn) specifies the length ot the associated data portion 
55 (D1 , D2...Dn) and also includes encryption key/authen- 
tication information which eliminates the need for setup 
negotiation. However, certain encryption key/authenti- 
cation information is established once during system 
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setup so that recipients of the messages (Ml . M2 ...Mn) 
can decrypt data contained in the data portion (D1 , D2 . 
Dn) of each message (M1 M2...Mn). 

The flexibility of stream format 300 of the invention 
provides for the implementation of various encryption/ 
authentication approaches and is not limited to the par- 
ticular encryption/authentication approach described 
herein. In addition, since stream format 300 is layer in- 
dependent, various data formats may be employed with- 
out departing from the scope of the invention. 

The specific steps for providing layer-independent 
secunty of network communication according to an em- 
bodiment of the invention are now described with refer- 
ence to both the block diagram of Figure 2 and the flow 
chart of Figure 4. Generally the steps are described in 
the context ol an object oriented programming method 
associated with an object, contained in process 208 : 
which invokes a method associated with a remotely lo- 
cated object contained in process 210. In the non-object 
oriented conlexl, this is very similar lo process 208 is- 
suing a remote procedure call (RPC) to invoke a process 
remotely located on multi-layered node 204. For purpos- 
es of explanation, the data transmitted by the method 
associated with the object contained in process 206 
which invokes the method associated with the remotely 
located object contained in process 210 is hereinafter 
referred to as the ■ object data - 
After starting in step 400, in step 402, multi-layered 
nodes 202, 204 establish an encryption/authentication 
approach during system setup Unlike traditional setup 
negotiation which must be continuously re-negotiated, 
such as on a per session basis, the agreed upon en- 
cryption/authentication approach established between 
multi-layered nodes 202, 204 only needs to be set up 
once during system setup, or when either multi-layered 
node 202, 204 is connected to another node and the 
security techniques described herein are to be em- 
ployed with that other node. 

In step 404, a Java secure channel 216 is estab- 
lished between node 202 and node 204. According to 
one embodiment of the invention. Java secure channel 
216 is an object class which is defined and invoked by 
process 20B. 

In step 406, object output stream 21 6 is established 
between process 203 and socket layer 21 2. and in step 
408. object input stream 220 is established between 
socket layer 21 4 and process 21 0. According to one em- 
bodiment of the invention, objeel oulpul stream 216 is 
an object class defined by process 206 while object in- 
put stream 220 is an object class defined by process 
210. 

In step 410. the object data to be transmitted from 
process 208 to process 210 is serialized, sometimes re- 
ferred to as " flattening the object," and then encrypted 
in step 412 based upon the encryption/authentication 
approach established in step 402. 

In step 41 4, the object data (serialized and encrypt- 
ed) is written to object output stream 218, which is re- 



ceived by socket layer 212 and formatted according to 
socket layer protocol. In step 416. Ihe object data is 
transmitted from socket layer 212 of muttilayered node 
202 to socket layer 214 ol multi-layered node 204 over 

5 transmission medium 206. 

As previously discussed, multi-layered node 202 is 
illustrated as having a single layer, socket layer 212. 
while multi-layered node 204 is illustrated as having a 
single layer, socket layer 214, for purposes of explana- 

10 tion. However mulii-layered nodes 202. 204 may be 
multi-layered and contain other layers above and below 
socket layers 21 2, 214. Consequently, although accord- 
ing to an embodiment of the invent ion. the object data 
is transmitted onto transmission medium 206 in the tor- 
's mat illustrated in Figure 3, it is understood that additional 
formatting of the object data may be perlormed accord- 
ing to various other communication protocols contained 
in multi-layered nodes 202, 204. For example, il multi- 
layered node 202 also supports Internet protocol (IP), 

20 then each message (Ml, M2...Mn) illustrated in Figure 
3 would also contain IP header infoimation. 

After the object data is received by socket layer 214, 
the object data is read from object input stream 220 by 
process 210 in step 418. In step 420. the object data is 

2S decrypted according to the encryption/authentication 
approach established in step 402. Then, in step 422, the 
object data is de-serialized and the method associated 
with the object remotely located in process 210 is exe- 
cuted Finally the process is complete in step 424 

so Although embodiments of the invention have been 
described in the context of encrypting and decrypting 
object data by processes 208. 210. which are effectively 
above all ol the layers supported by multi-layered nodes 
202, 204, respectively, data may be encrypted and de- 

5£ crypted at any layer supported by multi-layered nodes 
202, 204, since the encryption of data is perlormed be- 
fore the data is written to a stream and is therefore layer- 
independent. 

For example, referring again to Figure 1 . according 

•to to another embodiment of the invention, process 108 
encrypts data 116 and then writes data 116 to a stream 
(not illustrated) which is formatted according to the pro- 
tocol hierarchy 112 and transmitted to multi-layered 
node 104 on transmission medium 106. Since data 116 

-is was encrypted at the stream level, data 1 1 6 may be de- 
crypted at any layer in hierarchy 114. so long as data 
116 can be extracted from the daia stream. Typically, 
the size and position ol data 116 wilhin a data chunk is 
known which allows data 11 6 to be exltactedfiomadata 

so chunk even though the data chunk contains protocol 
specific information from higher layers. However, if data 
1 1 6 is encrypted at any other layer in hierarchy 112, then 
data 1 1 6 must first be decrypted at a corresponding lay- 
er in hierarchy 114. 

55 According to another embodiment of the invention, 
a stream is connected to several other protocol-specific 
streams to support the broadcasting or multi-casting of 
encrypted information Figure 5 illustrates an arrange- 
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ment 500 which includes a stream 502 according to an 
embodiment of the invention, connected via connectors 
504, to intelligent converters 506, which convert stream 
502 into protocol-specilic streams 506 such as file l/C. 
object I/O. and socket I/O streams. Converters 506 have s 
the capability to extract the data portion trom stream 502 
to support streams 508 at any protocol layer. 

According to arrangement 500, any number ol pro- 
tocol-specific streams 508 may be connected to stream 
502. In addition, the headers of messages in stream 502 10 
may contain destination-specific encryption/authentica- 
tion information. For example, stream 502 may contain 
an encryption/authentication value A, while a recipient 
of one ol the protocol-specific streams 506 holds a key 
value X, making the decryption of stream 502 a function is 
of A and X (key=t(A,X)). Likewise, similar keys may be 
developed lor the other protocol-specific streams 508 

HARDWARE OVERVIEW 

20 

Figure 6 is a block diagram which illustrates a com- 
puter system 600 upon which an embodiment of the in- 
vention may be implemented. Computer system 600 in- 
cludes a bus 602 or other communication mechanism 
for communicating information, and a processor 604 2S 
coupled with bus 602 tor processing information. Com- 
puter system 600 also includes a main memory 606, 
such as a random access memory (RAM) or other dy- 
namic storage device, coupled to bus 602 for storing in- 
formation and instructions to be executed by processor 30 
604. Main memory 606 also may be used for storing 
temporary variables or other intermediate information 
during execution of instructions by processor 604. Com- 
puter system 600 also includes a read only memory 
(ROM) 608 or other static storage device coupled to bus 35 
602 for storing static information, and instructions for 
processor 604. A storage device 610, such as a mag- 
netic disk or optical disk, is also provide and coupled to 
bus 602 lor storing information and instructions 

Computer system 600 may also be coupled via bus -to 
602 to a display 61 2. such as a cathode ray tube (CRT), 
for displaying information to a computer user. An input 
device 614. including alphanumeric and other keys, is 
also provided and coupled to bus 602 lor communicat- 
ing information and command selections to processor 
604. Another type of user input device is cursor control 
616, such as a mouse, a trackball, or cursor direction 
keys foi communicating direction information and com- 
mand selections to processor 604 and for controlling 
cursor movement on display 612. This input device typ- so 
ically has two degrees of freedom in two axes, a first 
axis (e.g., x) and a second axis (e.g.. y). which allows 
the device to specify positions in a plane 

The invention is related to the use o1 computer sys- 
tem 600 to provide layer-independent secure network ss 
communication. According to one embodiment of the in- 
vention, layer-independent secure network communica- 
tion is provided by computer system 600 in response to 



processor 604 executing sequences ol instructions con- 
tained in main memory 606. Such instructions may be 
read into main memory 606 from another computer- 
readable medium, such as storage device 610. Howev- 
er, the computer-readable medium is not limited to de- 
vices such as storage device 610. For example, the 
computer-readable medium may include a floppy disk, 
a flexible disk, hard disk, magnetic tape, or any other 
magnetic medium, a CD-ROM, any other optical medi- 
um, a RAM, a PROM, and EPROM, a FLASH-EPROM. 
any other memory chip or cartridge, or any other medi- 
um from which a computer can read. Execution of the 
sequences of instructions contained in main memory 
606 causes processor 504 to perform the process steps 
previously described. In alternative embodiments, hard- 
wired circuitry may be used tn place of or tn combination 
with software instructions to implement the invention. 
Thus, embodiments of the invention are not limited to 
any specific combination of hardware circuitry and soft- 
ware. 

Computer 600 also includes a communication intei- 
face 618 coupled to bus 602. Communication interface 
608 provides a two-way data communication coupling 
to a network link 620 to a local network 622. For exam- 
pic, if communication interface 618 is an integrated 
services digital network (ISDN) card or a modem, com- 
munication interface 61 8 provides a data communica- 
tion connection to the corresponding type ot telephone 
line. If communication interface 61 8 is a local area net- 
work (LAN) card, communication interface 618 provides 
a data communication connection to a compatible LAN. 
Wireless links are also possible. In any such implemen- 
tation, communication interface 618 sends and receives 
electrical, electromagnetic or optical signals which carry 
digital data streams representing various types of infor- 
mation. 

Network link 620 typically provides data communi- 
cation through one or more networks to other data de- 
vices. For example, network link 620 may provide a con- 
nection through local network 622 to a host computer 
624 or to data equipment operated by an Internet Serv- 
ice Provider (ISP) 626. ISP 626 in turn provides data 
communication services through the world wide packet 
data communication network now commonly referred to 
as the "Internet" 626. Local network 622 and Internet 
628 both use electrical, electromagnetic or optical sig- 
nals which carry digital data streams. The signals 
thiough the var ious nelwoi ks and the signals on network 
link 620 and through communication interface 61 B, 
which carry the digital data to and from computer 600 
are exemplary lorms of carrier waves transporting the 
information. 

Computer 600 can send messages and receive da- 
ta, including program code, through the network(s) net- 
work link 620 and communication interface 618. In the 
Internet example, a server 630 might transmit a request- 
ed code tor an application program through Internet 628, 
ISP 626. local network 622 and communication inter- 
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lace 618. In accord with the invention, one such down- 
loaded application provides for the synchronization of 
threads using selective object locking as described 
herein. 

The received code may be executed by processor 
604 as it is received, and/or stored in storage device 
610, or other non-volatile storage tor later execution. In 
this manner computer 600 may obtain application code 
in the form ol a carrier wave. 

Although the invention has been described in the 
context of connection-based communication architec- 
tures, the invention is also applicable to sessionless da- 
tagram or packet based communication architectures. 

The invention provides several advantages over 
prior approaches for implementing secure network com- 
munications. Most importantly, security is implemented 
using streams which are layer independent. This allows 
an encrypted stream to be decrypted at any layer with- 
out requiring the use of layer specific calls to perform 
the decryption, which provides greater flexibility than pri- 
oi approaches. For example, an encrypted stream 
transmitted by a sending node may be decrypted by a 
firewall connection at the network (packet) layer having 
knowledge of the encryption approach negotiated dur- 
ing system setup. Moreover, this approach docs not af- 
fect existing encryption being carried out at various lay- 
ers. The approach of the invention avoids the setup ne- 
gotiation which can significantly degrade communica- 
tion performance in certain situations 

In the foregoing specification, the invention has 
been described with reference to specific embodiments 
thereof. It will, however, be evident that various modifi- 
cations and changes may be made thereto without de- 
parting from the broader spirit and scope of the inven- 
tion. The specification and drawings are. accordingly to 
be regarded in an illustrative rather than a restrictive 
sense. 



Claims 

1 . A method for providing communication protocol-in- 
dependent security for data transmitted between a 
first process, executing on a tirst network node, and 
a second process, executing on a second network 
node, wherein the first network node and the sec- 
ond network node each support at least one com- 
mon communication protocol, the method compris- 
ing the steps of: 

a) establishing a communication channel be- 
tween the first network node and the second 
network node: 

b) establishing a lirst stream between the first 
process and the communication channel: 

c) establishing a second stream between the 
second process and the communication chan- 
nel: 



d) encrypting data to be transmitted between 
the first and second processes, the encrypting 
ol the data being independent of the at least 
one communication protocol supported by the 

£ first network node: 

e) writing the encrypted data to the first stream: 

f) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node. 

io g) reading the encrypted data from the second 

stream: and 

h) decrypting the encrypted data to obtain de- 
crypted data which is identical to the data on 
the first network node before the data was en- 



is crypted. 

2. The methodof Claim i . lurther including the steps of 

a) performing a communication protocol-spe- 
20 cific encryption of the data on the first network 



node, and 

b) periormmg a communication protocol-spe- 
cific decryption of the data on the second net- 
work node. 

2B 

3. The method of Claim 1 , wherein the communication 
channel is a Java secure channel. 

wherein the first stream is a first Java stream, 
30 wherein the second stream is a second Java 

stream. 

wherein the step of establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step of es- 

35 tablishmg a Java secure channel between the 

first and second network nodes, 
wherein the step of establishing a first stream 
between the first process and the communica- 
tion channel further comprises the step of es- 

40 tablishmg a first Java stream between the first 

process and the Java secure channel, 
wherein the step of establishing a second 
stream between the second process and the 
communication channel further comprises the 

w5 step ol establishing a second Java stream be- 

tween the second process and the Java secure 
channel 

wnerein the step ol writing the enciypled data 
to the first stream further comprises the step ol 
so writing the encrypted data to the first Java 

stream, and 

wnerein the step of reading the encrypted data 
from the second stream further comprises the 
step of reading the encrypted data from the sec- 
55 ond Java stream. 

4. The methodof Claim 1 , wherein the communication 
channel is a Java secure channel, wherein the first 
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stream is a Java stream, 

wherein the second stream is a Java stream, 
wherein the method lurther comprises the step 
of connecting the Java secure channel to a third 5 
Java stream, and 

wherein the third Java stream provides for the 
transmission of data according to a specific 
communication protocol. 

10 

5. A computer-readable medium having stored there- 
on a plurality of sequences of instructions tor pro- 
viding communication protocol-independent secu- 
rity lor data transmitted between a first process ex- 
ecuting on a first network node, and a second proc- '5 
ess, executing on a second network node, wherein 

the first network node and the second network node 
each support at least one common communication 
protocol, the plurality of sequences of instructions 
including sequences of instructions which, when 20 
executed by one or moreprocessois, cause the one 
or more processors to perform the steps of: 

a) establishing a communication channel be- 
tween the first network node and the second 2$ 
network node: 

b) establishing a first stream between the first 
process and the communication channel: 

c) establishing a second stream between the 
second process and the communication chan- 30 
nel: 

d) encrypting data to be transmitted between 
the first and second processes, the encrypting 
of the data being independent of the communi- 
cation protocols supported by the first network 35 
node: 

e) writing the encrypted data to the first stream: 

f ) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node: 40 

g) reading the encrypted data from the second 
stream: and 

h) decrypting the encrypted data to obtain de- 
crypted data which is identical to the data on 
the first network node betore the data was en- 
crypted 

6. The compulei -readable medium of Claim 5. where- 
in the computei-ieadable medium further includes 
instructions for performing the steps of so 

a) performing a communication protocol-spe- 
cific encryption of the data on the first network 
node, and 

b) performing a communication protocol-spe- 55 
cific decryption of the data on the second net- 
work node 



7. The computer-readable medium of Claim 5 where- 
in the first stream is a first Java stream, 

wherein the second stream is a second Java 
stream, 

wnerem the step of establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step of es- 
tablishing a Java secure channel between the 
first and second network nodes, 
wherein the step of establishing a first stream 
between the first process and the communica- 
tion channel lurther comprises the step of es- 
tablishing a first Java stream between the first 
process and the Java secure channel, 
wherein the step of establishing a second 
stream between the second process and the 
communication channel further comprises the 
step of establishing a second Java stream be- 
tween the second process and the Java secure 
channel, 

wherein the step of writing the encrypted data 
to the first stream further comprises the step of 
writing the encrypted data to the first Java 
stream, and 

wnerein the step of reading the encrypted data 
from the second stream further comprises the 
step of reading the encrypted data from the sec- 
ond Java stream 

8. The computer-readable medium of Claim 5. where- 
in the communication channel is a Java secure 
channel, 

wherein the first stream is a Java stream, 
wherein the second stream is a Java stream, 
wherein the computer-readable medium further 
includes instructions for connecting the Java 
secure channel to a third Java stream, and 
wherein the third Java stream provides for the 
transmission of data according to a specific 
communication protocol. 

9. A communication network providing communica- 
tion protocol-independent secure communication 
between a first network node and a second network 
node, wherein the first network node and the sec- 
ond network node each support at least one com- 
mon communication protocol, wherein the first net- 
work node is communicatively coupled to the sec- 
ond network node by a communication channel, the 
communication network comprising: 

a) a first process executing on the first network 
node, wnerein the first process provides for the 
communication protocol-independent encryp- 
tion of data 

b) a first stream which provides for the transfer 
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o1 encrypted data between the first process and 
the communication channel; 

c) a second process executing on the second 
network node: and 

d) a second stream which provides lor the 5 
transfer of encrypted data between the commu- 
nication channel and the second process, 
wherein the second process also provides for 
the decryption of data which has been encrypl- 

ed by the first process. 1C 



The communication network of Claim 9, wherein the 
communication channel is a Java secure channel, 
the first stream is a Java stream and the second 
stream is a Java stream. 20 

The communication network of Claim 11, further 
comprising a third Java stream connected to the 
Java secure channel, the third Java stream provid- 
ing for the transmission of data according to a spc- zs 
cific communication protocol. 

A computer data signal embodied in a carrier wave 
and representing sequences of instruction which, 
when executed by one or more processors, provide 30 
communication protocol-indepenaent security for 
data transmitted between a first process, executing 
on a first network node, and a second process, ex- 
ecuting on a second network node, wherein the first 
network node and the second network node each 35 
support at least one common communication pro- 
tocol by performing the steps of: 

a) establishing a communication channel be- 
tween the first network node and the second -*o 
network node: 

b) establishing a first stream between the first 
process and the communication channel: 

c) establishing a second stream between the 
second process and the communication chan- 
nei: 

d) encrypting data to be transmitted between 
the lirsl and second processes, the enciypling 
of the data being independent of the communi- 
cation protocols supported by the first network so 
node: 

e) writing the encrypted data to the first stream: 

f ) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node: 55 

g) reading the encrypted data from the second 
stream; and 

h) decrypting the encrypted data to obtain de- 



crypted data which is identical to tne data on 
the first network node before the data was en- 
crypted. 

14. The computer data signal of Claim 13 wherein the 
computer sequence of instructions further includes 
instructions for performing the steps of 

a) performing a communication protocol-spe- 
cific encryption of the data on the first network 
node, and 

b) performing a communication protocol-spe- 
cific decryption of the data on the second net- 
work node. 

The computer data signal of Claim 13. wherein the 
first stream is a first Java stream, 

wherein the second stream is a second Java 
stream, 

wheiein the step of establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step of es- 
tablishing a Java secure channel between the 
first and second network nodes, 
wherein the step ol establishing a first stream 
belween the first process and the communica- 
tion channel further comprises the step of es- 
tablishing a first Java stream between the firsi 
process and the Java secure channel, 
wherein the step of establishing a second 
stream between the second process and the 
communication channel further comprises the 
step of establishing a second Java stream be- 
tween the second process and the Java secure 
channel. 

wherein the step of writing the encrypted data 
to the first stream further comprises the step of 
writing the encrypted data to the first Java 
stream, and 

wherein the step of reading the encrypted data 
from the second stream further comprises the 
step of reading the encrypted data from the sec- 
ond Java stream, 

16. The computer data signal of Claim 13. wherein the 
communication channel is a Java secure channel, 

wheiein the first stream is a Java stieam. 
wherein the second stream is a Java stream, 
wherein the computer sequence of instructions 
further includes instructions for connecting the 
Java secure channel toa third Java stream, and 
wherein the third Java stream provides for the 
transmission of data according to a specific 
communication protocol. 

17. A method tor providing communication protocol-m- 



The communication network of Claim 9. wherein the 
second process further includes the capability to 
decrypt data based upon any communication pro- 
tocol supported by the second network node. 
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dependent security tor data transmitted by a proc- 
ess executing on a network node, the method com- 
prising the steps of: 

a) establishing a stream between the process 5 ' 
and a communication channel: 

b) encrypting data to be transmitted by the proc- 
ess, the encrypting ot the data being independ- 
ent of a communication protocol supported by 

the network node; 10 

c) writing the encrypted data to the stream; and 

d) causing the encrypted data to be transmitted 
from the network node to the communication 
channel. 

is 

18. The method of Claim 17, wherein the communica- 
tion channel is a Java secure channel, 

wherein the stream is a first Java stream, 
wherein the step of establishing a stream be- 20 
tween the process and the communication 
channel further comprises the step of establish- 
ing a Java stream between the process and the 
Java secure channel, and 

wherein the step of writing the encrypted data ss 
to the stream further comprises the step of writ- 
ing the encrypted data to the Java stream. 

19. The method ol Claim 17, wherein the communica- 
tion channel is a Java secure channel, wherein the 30 
stream is a Java stream, 

wherein the method further comprises the step 
ot connecting the Java secure channel to a sec- 
ond Java stream, and 35 
wherein the second Java stream provides for 
the transmission of data according to a specific 
communication protocol 
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